CVE-2019-10395: XSS
First published: Thu Sep 12 2019(Updated: )
Build Environment Plugin did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins applies the missing escaping by default since 2.146 and LTS 2.138.2, so newer Jenkins releases are not affected by this vulnerability. Build Environment Plugin now escapes all variables displayed in its views.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Build Environment | <=1.6 | |
| maven/org.jenkins-ci.plugins:build-environment | <1.7 | 1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2019/09/12/2
- https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1476
- https://nvd.nist.gov/vuln/detail/CVE-2019-10395
- https://github.com/jenkinsci/build-environment-plugin/commit/c9797608e839d0dce1957e3c1b512b872839e603
- https://github.com/advisories/GHSA-88qj-3q6h-8m5q (Advisory)
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-88qj-3q6h-8m5q
- alias/CVE-2019-10395
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/last-modified-date
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- agent/trending
- vendor/jenkins
- canonical/jenkins build environment
- version/jenkins build environment/1.6
- package-manager/maven